ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2024-12-18 20:47:55 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

properly deal with trusting keys to supress UX confusion about trusted keys

Browse Source 
key-init makes sure trustdb is updated at run time and user and distro keys are ultimately trusted. Each time a file is signed, the related public key is showed without error on it's trustability.
flash-gui deals with gpg1 to gpg2 migration. If pubring.kbx is found, pubring.gpg is deleted from running rom dump.
This commit is contained in:
Thierry Laurion 2019-02-08 12:38:38 -05:00
parent 8dd1082808
commit 005a19eeda
No known key found for this signature in database
GPG Key ID: 79C78E6659DB658F
2 changed files with 62 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
initrd/bin/flash-gui.sh
View File

@ -101,9 +101,9 @@ while true; do
if (whiptail --title 'Flash ROM?' \
--yesno "This will replace your old ROM with $ROM\n\nDo you want to proceed?" 16 90) then
if [ "$menu_choice" == "c" ]; then
/bin/flash.sh -c $ROM
/bin/flash.sh -c "$ROM"
else
/bin/flash.sh $ROM
/bin/flash.sh "$ROM"
fi
whiptail --title 'ROM Flashed Successfully' \
--msgbox "$ROM flashed successfully. Press Enter to reboot" 16 60
@ -137,23 +137,42 @@ while true; do
ROM=$FILE
fi
cat $PUBKEY | gpg --import
cp $ROM /tmp/gpg-gui.rom
if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/pubring.kbx") then
cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/pubring.kbx"
fi
cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/pubring.kbx" -f /.gnupg/pubring.kbx
cat "$PUBKEY" | gpg --import
#update /.gnupg/trustdb.gpg to ultimately trust all user provided public keys
gpg --list-keys --fingerprint --with-colons |sed -E -n -e 's/^fpr:::::::::([0-9A-F]+):$/\1:6:/p' |gpg --import-ownertrust
gpg --update-trust
#TODO: Remove this? Not useful in GPG2
cp "$ROM" /tmp/gpg-gui.rom
if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/pubring.kbx"); then
cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/pubring.kbx"
if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/pubring.gpg"); then
cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/pubring.gpg"
if [ -e /.gnupg/pubring.gpg ];then
rm /.gnupg/pubring.gpg
fi
fi
fi
#to be compatible with gpgv1
if [ -e /.gnupg/pubring.kbx ];then
cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/pubring.kbx" -f /.gnupg/pubring.kbx
if [ -e /.gnupg/pubring.gpg ];then
rm /.gnupg/pubring.gpg
fi
fi
if [ -e /.gnupg/pubring.gpg ];then
cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/pubring.gpg" -f /.gnupg/pubring.gpg
fi
if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/trustdb.gpg") then
cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/trustdb.gpg"
fi
cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/trustdb.gpg" -f /.gnupg/trustdb.gpg
#Remove old method owner trust exported file
if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/otrust.txt") then
cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/otrust.txt"
fi
cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/otrust.txt" -f /.gnupg/otrust.txt
if (whiptail --title 'Flash ROM?' \
--yesno "This will replace your old ROM with $ROM\n\nDo you want to proceed?" 16 90) then
@ -185,17 +204,42 @@ while true; do
exit 1
fi
cat $PUBKEY | gpg --import
if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/pubring.kbx") then
cat "$PUBKEY" | gpg --import
#update /.gnupg/trustdb.gpg to ultimately trust all user provided public keys
gpg --list-keys --fingerprint --with-colons |sed -E -n -e 's/^fpr:::::::::([0-9A-F]+):$/\1:6:/p' |gpg --import-ownertrust
gpg --update-trust
if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/pubring.kbx"); then
cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/pubring.kbx"
if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/pubring.gpg"); then
cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/pubring.gpg"
if [ -e /.gnupg/pubring.gpg ];then
rm /.gnupg/pubring.gpg
fi
fi
fi
#to be compatible with gpgv1
if [ -e /.gnupg/pubring.kbx ];then
cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/pubring.kbx" -f /.gnupg/pubring.kbx
if [ -e /.gnupg/pubring.gpg ];then
rm /.gnupg/pubring.gpg
fi
fi
if [ -e /.gnupg/pubring.gpg ];then
cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/pubring.gpg" -f /.gnupg/pubring.gpg
fi
cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/pubring.kbx" -f /.gnupg/pubring.kbx
if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/trustdb.gpg") then
cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/trustdb.gpg"
fi
cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/trustdb.gpg" -f /.gnupg/trustdb.gpg
#Remove old method owner trust exported file
if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/otrust.txt") then
cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/otrust.txt"
fi
if (whiptail --title 'Update ROM?' \
--yesno "This will reflash your BIOS with the updated version\n\nDo you want to proceed?" 16 90) then
/bin/flash.sh /tmp/gpg-gui.rom

11
initrd/bin/key-init
View File

@ -5,14 +5,13 @@ set -e -o pipefail
# Post processing of keys
# Import user's keys
gpg --import /.gnupg/keys/*.key 2>/dev/null || true
#Import trustdb if it exists
if [ -s /.gnupg/keys/otrust.txt ]; then
gpg --import-ownertrust /.gnupg/keys/otrust.txt
fi
gpg --import /.gnupg/keys/*.key /.gnupg/keys/*.asc 2>/dev/null || true
# Import trusted distro keys allowed for ISO signing
gpg --homedir=/etc/distro/ --import /etc/distro/keys/* 2>/dev/null || true
#Set distro keys trust level to ultimate (trust anything that was signed with these keys)
gpg --homedir=/etc/distro/ --list-keys --fingerprint --with-colons|sed -E -n -e 's/^fpr:::::::::([0-9A-F]+):$/\1:6:/p' |gpg --homedir=/etc/distro/ --import-ownertrust 2>/dev/null || true
gpg --homedir=/etc/distro/ --update-trust 2>/dev/null || true
# Add user's keys to the list of trusted keys for ISO signing
gpg --export | gpg --homedir=/etc/distro/ --import 2>/dev/null || true